CVE-2026-28804
Received Received - Intake
Denial of Service via /ASCIIHexDecode in pypdf PDF Library

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28804
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypdf_project pypdf to 6.7.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing an attacker to craft a specially designed PDF file that triggers inefficient decoding in the pypdf library. This causes the decoding process to take an excessively long time, leading to long runtimes and potentially degrading the performance of your system or application that processes such PDFs.

The impact is primarily a denial-of-service-like effect where system resources are consumed inefficiently, which could slow down or disrupt normal operations.

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28804 is a vulnerability in the pypdf Python library that affects versions prior to 6.7.5. The issue arises when decoding PDF streams that use the /ASCIIHexDecode filter. The previous implementation manually parsed the ASCIIHexDecode streams character-by-character, which was inefficient and could be exploited by an attacker crafting a malicious PDF to cause long runtimes.'}, {'type': 'paragraph', 'content': "This inefficient decoding process leads to excessive processing time, potentially degrading system performance. The vulnerability was fixed by replacing the manual parsing with a more efficient approach using Python's built-in functions, improving performance and maintainability."}] [1, 2, 3]

Detection Guidance

This vulnerability involves inefficient decoding of PDF streams using the /ASCIIHexDecode filter in the pypdf library prior to version 6.7.5. Detection would involve identifying PDF files processed by vulnerable versions of pypdf that contain streams using the /ASCIIHexDecode filter.

Since the issue causes long runtimes during decoding, monitoring for unusually high CPU or processing time when handling PDF files with pypdf could indicate exploitation.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation step is to upgrade the pypdf library to version 6.7.5 or later, where the vulnerability has been patched by improving the ASCIIHexDecode filter's performance."}, {'type': 'paragraph', 'content': 'For users unable to upgrade immediately, applying the changes from pull request #3666 is recommended as a workaround to improve performance and mitigate the vulnerability.'}] [2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart